Is possible: Free security setup - without antivirus

LOL at some of the comments in this thread

 

Opinions are like AVs, promise everything and deliver 95 percent.

 

Thankfully, this is all sandboxed...

 

It may be that some folks here are too fanatic over it. Maybe even I am, I don't know.

But dropping AV was a huge relief for me. I thinked about it for many years even before joining Wilders, as I never got infected, and it noticeably slowed my computer down. I switched to lighter AV's, first at Eset NOD32, and later PrevX, but the main problem was still there - while they were light, they were still eating resources. After I found how to run safely without an AV, I ditched it pretty much immediaetly.

That's why I endorse this approach to others too.

 

Missed this somehow.

I pretty much agree completely.

 

me too

 

Like I said earlier in this topic (or another maybe) AV's are still very much a legitimate defense. Only a definitive blacklist can truly say whether or not something is malicious with certainty. It's just a matter of whether or not that's how you choose to set things up.

 

It really doesnt matter, so why do so many people make such a big deal about it. Myself included. Eating resources? Give me a break, the other way eats away at freedom of use.

But really as long as a person is happy with whatever they choose, then that is just plain good.

 

And FYI, Sandboxie slows my computer down more then Eset 5. So talk about resource loss.

 

I think it's less of people making a big deal of it and more of this being a forum for discussion of security and security products.

I agree that as long as a security setup works for someone that's all that matters. That's what I'm arguing, whereas John things that an AV is necessary.

 

ocsi,
Regarding your original question, Can I have good security without an anti-virus?
Don't take this wrong, but when a user asks that question, it generally means that they're not ready to take that step. In your first post, you asked (I'm assuming the underlined word was a typo) "If so: what would be that combination?" I'm assuming that you're asking for specific programs or applications with this question. I'd like to suggest a different approach to your question that should make it easier to figure out what method is right for you.

Looking through this thread, you'll see that there are several ways to accomplish this. Each method has its own strengths, weaknesses, and different requirements from the user. Each method is based on a different fundamental approach or core policy.

Antivirus software is what most typical users know about. Most of them know of no other options. AVs are basically "default-permit" security apps. Default-permit allows anything to run that's not identified (by signature, behavior, reputation, etc) as malicious. Default-permit based apps require very little from the user, depending almost entirely on the vendor to keep their detections up to date. They're also the most demanding on your system in regards to disk space and memory/resource usage.

The exact opposite approach is default-deny. Instead of attempting to block everything that's malicious, default-deny blocks everything that's not identified as allowed. The big difference between them is in how they handle something unknown when it tries to run. Default-permit based apps will let it run while default-deny based apps will block it. Default-deny based security apps vary widely in regards to the whitelist that they'll allow. Some leave it completely up to the user to decide what should be whitelisted. Others get a lot of this data from their vendor. Most of them require a lot more input from the user, which means that the user needs to be able to tell it what to permit. Some classic HIPS like SSM and Malware Defender require a lot of knowledge from the user. Windows has built in tools that can perform many of the same functions. There's several good threads here that explain how. The primary difference between using a 3rd party HIPS and the built in tools is the degree of configurability and the level of control over the core system processes. HIPS generally allow much more detailed control but they can conflict or interfere with other software or system processes, especially if they're not configured correctly. Default-deny is best suited to systems that aren't changed a lot. If you regularly try out new software, default-deny can be very inconvenient.

Another effective option is a security policy based on containment. 2 examples of this would be SandBoxie and Virtualbox (or Virtual PC, VMware, etc). Sandboxie (badly over-simplified explanation) contains individual applications like the browser in a "sandbox" and creates virtual duplicates of the system components that the sandboxed applications interact with. This keeps the real system components safe from anything a sandboxed application might do. When the user is done with whatever they were doing, they empty the sandbox and the system is back in its original state. Apps like VirtualBox, take this concept farther. They create an entire virtual system, a complete PC that exists only as code. Everything done on the virtual system doesn't affect the real system. These virtual systems can be saved or reverted to their original state, depending on the users needs. Both of these options are good at preventing malicious code from altering your real system. Their weakness is that they don't prevent malicious code from running in the sandbox or on the virtual system. While that malware wouldn't be able to infect your real system, it could log or steal data from the sandbox or virtual system like a keylogger. It's also possible (but not very likely) that someone will write malware that can break out of a sandbox or virtual system and infect the host system. Sandboxie doesn't require a lot of knowledge to use but can be made even more effective by a skilled user. It requires far less user input that most HIPS. With full virtualization, the user needs to supply or build and equip the virtual operating systems. Both are good choices for users who like to change things or try out a lot of new software.

Another option are "reboot to restore" apps like Returnil. These return your system to its original condition when the user reboots. Like containment based applications, they prevent changes performed by malicious code or new apps from becoming permanent on your system. Like containment based apps, they also don't protect you from real time malware like keyloggers.

Depending on a users needs, all of these policies can be combined. A user can run an AV protected virtual system on a default-deny protected host PC for instance. A system can be protected by default-deny and have a sandbox where new apps are allowed to run. Many combinations are possible. While most of my descriptions are over-simplified, they can give you an idea of the different approaches that you can take, some of the pros and cons of each, and some of what each requires from you. Think about it and decide which approach best suits your needs and matches your abilities. That will make it easier to suggest apps or packages that will work for you.

 

Amen, Hungry. It's just a discussion.

A free security setup without antivirus is entirely possible.
One quick way is Sandboxie, Online Armor FW + HIPS, an on demand scanner or two and a back up program. I would add a secure browser <cough Chrome> with Norton DNS, and a couple add-ons like TrafficLight and WOT.
That seems simple enough.

 

@noone_particular: Nicely written. I think you did an excellent job in explaining various options available

 

Hello Spysnake,
Just to be clear, I don't think "you guys" are being too fanatical.
I think you are pretty much excited about the way you have secured your computers, and proud of the fact that you did it without following conventional methods.
But your enthusiasm for alternative security sometimes comes off as a stab at the "old-fashioned" AV users... and I don't mean you personally, Spysnake. Maybe call it a friendly jab in the ribs. You know what I mean. And some users here, in my opinion, might be abandoning their security programs without having devised a solid alternate plan.
This is just a sense that I am getting... maybe it's more accurate to call it a concern. But it's all good, because for me, it continually forces me to reevaluate my security, and that is what will keep it good.

 

Agree with Page42. You shouldn't go ditching your AV just to "keep up with the Jonses", and if you even have to ask the question "am I safe without one", the answer is probably "NO".

The people that have decided to go without one haven't made the decision lightly, or arbitrarily I'm sure. I have specific reasons for not using one. With my setup, static system, and usage, my odds of being infected are quite remote. And I run a dated XP system with 1 gig of RAM. In my case real-time scanning slows me down and increases an otherwise minuscule attack surface. And if I do happen to get infected I just restore an image. To me that's far more practical than having real-time scanning perpetually eating my precious resources, since my odds of it happening are on par with being stuck by lightning.

If you're running a pimped out dual/quad+ core CPU and enough ram to last till the rapture, and browse every dark corner of the net and routinely get AV alerts... then you're a fool trying to go without an AV. It all depends on the individual. I do agree with a poster that it is irresponsible in general to recommend dropping an AV to others.

And to answer the OP's question:

NAT Router
XP: Comodo FW/D+ --- Vista/7: Windows FW
Sandboxie
EaseUS Todo Backup Free -or- Macrium Reflect Free
Firefox: Addons - NoScript, AdBlock Plus, BetterPrivacy, WOT
Keyscrambler Personal

 

Page42,

You are very right about going down the alternative route without solid plan - there could be problems when someone does change his/her setup aggressively and trusting only what others have to say.

Looking back at my posts in this and few other threads, makes me wonder if I or someone else speaking about the non-AV approach actually make things worse for someone. After all, as many have said, it's all about what suits you the best, you just to make the right call.

That said, everyone should make themselfs familiar with the workings of the new programs/policies before taking them to full use. Even software like Sandboxie is actually pretty useless if the user doesn't know what is it about.

 

I'd even go as far as to say "especially" programs like Sandboxie, since from what I recall default settings allow ALL programs to access the internet. You may as well not bother using it at all unless you learn how to effectively.

 

Ah, but don't forget, they all will still be accessing the net while sandboxed.
It's not like they are exclusions.
SBIE restrictions merely limit the number of things that can have start/run or internet access.

 

*sigh* got a long winded and low-content PM from John Bull. And it seems his PM box is full so I can't even reply!

knock knock John, I've got it all typed up and everything

 

JB sent me one of those long-winded low-content PM's a while back, and blocked me so I couldn't reply.

 

That figures! Not a thing to say about security.

Confirmed troll? I'd say so.

 

I don't think things are black and white, either AV or no AV. For the last two years, ever since Sully was kind enough to take the time to explain to me, a noob, how Sandboxie worked, I have arranged and rearranged other software around it, looking for just the right combination for how I use the computer. Sometimes I have gone without a real-time AV, usually while beefing up security in some other way to compensate. I have talked to lots of people here trying to figure out how different layered security works together. The one constant has been my admiration for the genius behind what Sandboxie accomplishes and the freedom it gives me in choosing other parts of my security.

I don't think it is a radical idea to run without a real-time AV, to me it's just a small shift from real-time to on-demand. I doubt there is anyone here who isn't using an AV somehow. In my case, it's easy to go from constant checking to a once-a-day scan by two good programs. As I've learned how to use the computer safely, the risk has gotten smaller. And now, if anything gets by, it should be found within a day, and I am set up to reload a system image quickly, so no big deal. I really don't understand why that is controversial in any way.

As for leading the poor 'innocent user' (JB's term) astray by discussing how to have good security without the drawbacks of a real-time AV, anyone who would just throw out their AV without figuring out the consequences first is going to get into trouble anyway.

 

You're identifying the problem quite well.
No one should be stifled or discouraged from advocating a security policy... nor should they be "sent to a secret room for dangerous ideas to be discussed by only the invited elite". (Ha ha, good one.)

 

Oops, guess I edited out something good.

 

I haven't used a real time AV since I bought a laptop in 2004 that came with Norton which at the time was more intrusive and hogged more resources than malware itself, after 2 weeks I reformatted to get rid of Norton and just used other means, mainly window's hardening and common sense. Haven't had an infection or any big problems and I have trialed AV's and I definitely feel a difference in the way the computer runs and I just don't see any need for it personally. I realize 99% of users are more comfortable with a real time AV or just think it's impossible to use a computer without an AV scanning everything. I just disagree and advise others to do as they wish, this conversation has already been beaten to death.